Cross Platform remote IM vulnerability / DOS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Cross Platform remote IM vulnerability / DOS
From: Danslo@xxxxxxxxx
Date: 17 Aug 2007 19:04:27 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Forewarning, this has not been thoroughly tested, but it has been tested on 
pidgin on several windows distros and on mac os X running Adium client. The mac 
Adium client doesnt freeze up but is still vulnerable to the string and repeats 
it back without the user seeing it occurring. Been very busy the last few years 
and dont have time to followup or test this further, glad the list still exist, 
apologies for the incompleteness. Use at your own risk, and please don't use to 
pester others!


There is a string of characters which when entered into an AIM conversation 
window with another user will cause that user to repeat the same string of 
characters back to you, at the least this could be used to eat up bandwidth. 
The interesting thing about it is that when you send the instant message 
containing the string the other party doesnt see that or their reply back to 
you containing the same string, its totally invisible on the screen, you could 
launch an attack on someone and it doesnt open a popup IM box, transparent.

------------example--------------------

userB: ok im going to send you the string, tell me if you receive anything in 
the im window.
userB: userA: 
?OTR:AAICAAAAxLWYQllUFJTneF0uBhdCjKyvAbB/q2HvyEG8nBmUlztLw0xe4DD50osCo4sTkCaH082Ii3ZZzMvMZJ4QERXLBKdEGH3p5x6TAuAyoyNP6jfpfVideQCeSZgOfBwY82iFeGLDyof7HN+H8ADWOb/KmwjnKQ3PWNWVtrWe+njsuDkdCRZaRUvwggsz1VLsG41gz5CxYrxpwNPEbfelQMoy6rFASf1lKNFvhHkMzvhQnRb2gAP2cXSizEfPJVTEEuwBhK5BqaUAAAAgl5zLWoOI7lQKjTXF3AhbRJguHc/VVEjXuyX950Zdf9I=.
userA: 
?OTR:AAIKAAAAwIJFBPsSOhCvqu9uZJUZP6qkbMaONxAhy/lF2n4AixoRc4xNlwkHSSSqO1x5OKwTUd/Nx/xCuCjcvq42dHFj2ajkZXUKRC8NbyZDuw+2DmQZaKZMkm2N0JY7sRAwcW+vkJ2uybdCqs6YXHLbhlvvxkWoiZFrz5LlHFPtIgQG9PL8Tr5bvk2jztm5vE0V0r/V5r7ePoYo7c1vzBr/R+TMthy78MCwO/9pqVN0LIsgZ1SyUiDhDHfRIvAg2IuLOfvknA==.
userB: see anything after I said window?
userA: no
userA: nothing
-----------------------------------------

At the least this causes the other machine to send out more packets than the 
average user may have known of, with a little thinking and just as much 
resources this could be used as a distributed denial of service attack.

On the current version of pidgin when this was tested on several OS's it often 
froze up the targets IM window for the duration of the attack and sometimes the 
entire system performance suffers. While the attack was being performed the IM 
window is non-usable.

Side info: if you add or replace characters from the string and send it, it 
will still work but the new characters dont get repeated back the same in the 
string.

Discovered by Dan Shinn <danslo@xxxxxxxxx>
Testing by Rick Russel <noneck.net>

Follow-Ups:
- Re: Cross Platform remote IM vulnerability / DOS
  - From: J. Oquendo
- Re: Cross Platform remote IM vulnerability / DOS
  - From: Gavin Hanover

Prev by Date: Skype Network Remote DoS Exploit
Next by Date: HPSBMA02242 SSRT061260 rev.2 - HP OpenView Network Node Manager (OV NNM) Running Shared Trace Service, Remote Arbitrary Code Execution --------
Previous by thread: Re: Skype Network Remote DoS Exploit
Next by thread: Re: Cross Platform remote IM vulnerability / DOS
Index(es):
- Date
- Thread